Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Cyble Vision Alerts Darkweb Data Breaches

Cyble Vision Alerts Darkweb Data Breaches

Back
Id588a2ee5-978a-43f7-9c10-6d76d82026ef
RulenameCyble Vision Alerts Darkweb Data Breaches
DescriptionDetects darkweb credential leakage and data breach records from CybleVision. Extracts leaked username, email, password hashes, registration dates, and metadata using the Alerts_DarkwebDataBreaches parser. Incidents grouped per service.
SeverityLow
TacticsReconnaissance
InitialAccess
Exfiltration
Collection
TechniquesT1589
T1078
T1048
T1530
Required data connectorsCybleVisionAlerts
KindScheduled
Query frequency30m
Query period30m
Trigger threshold0
Trigger operatorGreaterThan
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Darkweb_Data_Breaches.yaml
Version1.0.0
Arm template588a2ee5-978a-43f7-9c10-6d76d82026ef.json
Deploy To Azure
Alerts_darkweb_data_breaches 
| where Service == "darkweb_data_breaches" 
| extend  MappedSeverity = Severity

eventGroupingSettings:
  aggregationKind: AlertPerResult
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cyble Vision/Analytic Rules/Alerts_Darkweb_Data_Breaches.yaml
query: |
  Alerts_darkweb_data_breaches 
  | where Service == "darkweb_data_breaches" 
  | extend  MappedSeverity = Severity  
enabled: true
version: 1.0.0
queryFrequency: 30m
id: 588a2ee5-978a-43f7-9c10-6d76d82026ef
requiredDataConnectors:
- dataTypes:
  - CybleVisionAlerts_CL
  connectorId: CybleVisionAlerts
name: Cyble Vision Alerts Darkweb Data Breaches
description: |
    'Detects darkweb credential leakage and data breach records from CybleVision. Extracts leaked username, email, password hashes, registration dates, and metadata using the Alerts_DarkwebDataBreaches parser. Incidents grouped per service.'
incidentConfiguration:
  groupingConfiguration:
    matchingMethod: AllEntities
    lookbackDuration: PT5H
    enabled: false
    reopenClosedIncident: false
  createIncident: true
triggerOperator: GreaterThan
suppressionDuration: PT5H
queryPeriod: 30m
alertDetailsOverride:
  alertDynamicProperties: []
  alertDescriptionFormat: |
        Username {{DB_Username}} Registration date {{DB_RegistrationDate}} Breach source {{Breach_Source}}
  alertDisplayNameFormat: CybleVision Darkweb Breach for {{DB_Email}}
tactics:
- Reconnaissance
- InitialAccess
- Exfiltration
- Collection
status: Available
severity: Low
relevantTechniques:
- T1589
- T1078
- T1048
- T1530
subTechniques: []
customDetails:
  BreachSource: Breach_Source
  Structured: DB_Structured
  Service: Service
  MappedSeverity: Severity
  DisplayName: DB_DisplayName
  RegistrationDate: DB_RegistrationDate
  BreachDate: DB_Date
  LeakedEmail: DB_Email
  Status: Status
  AlertID: AlertID
  Tags: DB_Tags
  UserName: DB_Username
  S3Key: DB_S3Key
  PasswordHash: DB_PasswordHash
triggerThreshold: 0
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: DB_Username
    identifier: Name
- entityType: DNS
  fieldMappings:
  - columnName: Domain
    identifier: DomainName
- entityType: IP
  fieldMappings:
  - columnName: IP
    identifier: Address
- entityType: Mailbox
  fieldMappings:
  - columnName: DB_Email
    identifier: MailboxPrimaryAddress